Time Difference from Blind SQL Injection

The time difference between the runtime and the production table of the tool Marathon on Blind SQL Injection: time-Based Blind SQL Injection using heavy queries: A practical approach for ms SQL Server, MS Access, oracle and MySQL databases and Marathon ToolProjection Film(Whitepaper)(Program downloads)(Whitepaper)(Extras)(MarathonTool)
Okay, I have to admit that, in this process, I am leaving again. I ran to hear the transparent method that is closely related to us :「The time difference between the runtime and the production table of the tool Marathon on Blind SQL Injection: time-Based Blind SQL Injection using heavy queries: A practical approach for ms SQL Server, MS Access, oracle and MySQL databases and Marathon Tool)」.

The following is the Chema Alonso (Meeting,Blog):
The spirit of this technique is mainly inBlind SQL injectionIf the results of different SQL injection commands cannot be determined by the HTTP Response itself, the time difference can be used to determine the cause. You can design a very time-consuming SQL command. If the SQL injection is successful at this time, what is the result of this SQL injection command, it will affect the speed at which the Web server returns HTTP response. This can be used to determine the result of the explain SQL injection command line.

When Chema was demo on the platform, he suddenly showed a photo of him smoking marijuana. He took out a camera and listened to the camera. He suddenly did not use Spanish words: 「 1, 2, 3, 4, and 5 」, injection successful! 」 Like a superhacker. He is currently in MadriRey Juan Carlos UniversityDoctor of the University's attacking role, which is jointly referred to by Dr. Antonio Guzman and Dr. Marta Beltran. In fact, this role is based on his doctor's discussion.

Jose Parada is working in microservices, and Chema is also known as zookeeper.Most Valuable entrepreneurs (MS MVPAs early as the end of last yearPublished on the official TechNet of Microsoft.

Chema hasA popular blog in SpainIf you are interested, you can give me a try. If you know Spanish. I don't know about Spanish. I can use a machine to flip it over and find many good things. For example, Chema contains three (I,II,3.His DEFCON experience. If you dig it, you will find that hePhoto taken from the camera is coming out.. Because many DEFCON users have special identities and do not like to be photographed, they are generally not allowed to take pictures in groups, so there are very few photos outside, people who have not actually gone through the game are also less likely to imagine what the scene is like. When will he take it away? If you are interested, you can take a look ;-)

In addition, he posted the following on his blog:His slides... In fact, he announcedAll videos... In factBlack Hat has published all the slides...

There are a lot of fun to do. Just dig it yourself! How can I understand it? I am working as a Spanish colleague Roman!

This presentation has also been announced.White paper, hereHere, you will find four other authors: Daniel, Rodolfo, Antonio, and Marta. Want to watch video? If you listen to Spanish,Here's Daniel's role., Datong Xiaoyu.

I will use their paper to take you through it!

XianzhiBlind SQL injection. False settings I am the attacker. The Blind SQL injection statements are white-coded. Generally, the Blind SQL injection statements refer to the situations where the object website does not have any complaints, SQL injection method. In SQL injection, attackers need to know two important information points:

1. Is SQL injection successful? Definition: Can the SQL commands executed by the target server be effectively reflected?
2. What is the result of the execution of the SQL injection command?

First, it is easy to understand that the attacker needs to execute SQL injection. The first step is to be able to effectively display the SQL commands executed by the target web application from the outside. If the website has an error message, the error message is returned. If you do not have an activation message, you can learn it by using other methods, such as checking the difference between success and failure attempts on the webpage.

The second step is very important, because when the attacker can successfully inject commands, the attacker must be able to understand the result of the injection commands after the execution; especially for some methods that use the "if" command, attackers must be able to grasp the result of the command. I have several examples.

The hypothetical website has a website that allows users to use product products to search for products. We know that a product has a quota of 1234. the URL of our query is as follows:

Http://www.victim.com/search.asp? Q = 1234

Lists the related materials in the product order of 1234. If you cannot find the product in sequence, the response page will "cannot find this product !」

The SQL command at the end of the pseudo-configuration is as follows, and no processing changes are made to q (q is a tainted which is not dry ):

objConn.Execute("select * from product_table where serial=

" + Request.QueryString("q"));

Attackers can refer to this URL first:

Http://www.victim.com/search.asp? Q = 1234 AND 1 = 0

Found: "This product cannot be found !」

The attacker then tries the second URL:

Http://www.victim.com/search.asp? Q = 1234 AND 1 = 1

It was found that 1234 of domestic products were introduced. The attacker makes the following conclusions:

A. the hacker has the SQL injection vulnerability, which affects the attacker's SQL command and effectively completes the operation.
B. The result of a response row can be determined by the response plane of the response.

For (B), we make the first plane (AND 1 = 0) into a plane (false page ), AND the second plane (AND 1 = 1) is made into a positive plane (true page ). This aims to determine whether the evaluation of condition SQL is true or false.

For example, the attacker can design the following URL:

Http://www.victim.com/search.asp? Q = 1234 AND (100> ASCII (Substring (select system_user )))

If the result is returned, we are told that the ASCII value of the first character of system_user is smaller than or equal to 100; if the response is positive, it will tell us that the first dollar is more than 100. The automatic attack tool can quickly calculate the current system_user name of the information after a series of attacks.

Sense of Artificial Neural Chema Alonso (html/defcon-16/dc-16-speakers.html # Alonso "> Meeting, Blog) Agree with us He slidesSo let's take a look at the real content examples used in the slides (the content is completely rooted in the slides ):

First, we can see that we did not make any changes to the URL:
<